Indicator Removal: File Deletion

Created the Tuesday 07 February 2023. Updated 6 months, 3 weeks ago.

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. An example of built-in Command and Scripting Interpreter functions is del on Windows.

Technique Identifier

T1070.004

Technique Tags

Defense Evasion infection clean-up del evidence removal

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Indicator Removal: File Deletion, Sub-technique T1070.004 - Enterprise | MITRE ATT&CK®